Menu
Anna Kendrick is New Private Photo Leak

Anna Kendrick is New Victim in Private Photo Leak

Wrist Camera Drone Nixie is the Selfie Future

Wrist Camera Drone Nixie is the Selfie Future

[titl]

Behati Prinsloo is Naked in new Maroon 5 Video

When Will The Apple Watch Come Out?

When Will The Apple Watch Come Out?

Pee-Wee Herman stars in New TV on the Radio Video

Pee-Wee Herman stars in New TV on the Radio Video

The World Needs Google Project Zero to be Real

Jul 16 2014, 6:10am CDT | by , in News | Technology News

The World Needs Google Project Zero to be Real
 
 

YouTube Videos Comments

Full Story

The World Needs Google Project Zero to be Real

If someone does something altruistic in security most stand up and applaud. But these days, such actions also tend to attract polemicists to the party. Especially of the cantankerous variety. Perhaps it’s no surprise then that Google’s Project Zero, which will gather some of the world’s finest minds in security to uncover dangerous bugs on the web, has attracted some scorn.

The withering comments are coming from a contentious part of the security industry: the zero-day exploit market. Companies in this sphere sell unpatched vulnerabilities to governments, law enforcements and private entities, presumably to help them protect their own, though it’s believed the exploit code is also used to attack as well as defend. They claim they are doing the world a favour by finding the bugs and being responsible in selling them to trusted parties. Criminals are doing the same, so isn’t it better to have more “good guys” hoovering up bugs before crooks do?

Possibly. But there are many who loathe zero-day merchants. As they often won’t tell the vendor about the bugs they find, most people using the affected software remain in danger. And it’s only the merchants and their customers who benefit.

It’s possible Google’s Project Zero could disrupt that market, finding those vulnerabilities before anyone else does. Given the number of bugs that emerge from the cracks every year, though, this seems unlikely at best. That’s why people like Chaouki Bekrar, who heads up exploit seller VUPEN, have claimed Project Zero is “yet another marketing campaign from Google corporation, nothing new under the sun from a cyber security perspective”.

“What Google did not understand is that killing a few zero-days will make Google’s researchers and/or shareholders feel better but it will definitely not kill the market of zero-day exploits,” Bekrar said over email. “Instead it will make it even more lucrative as both the white and black market’s prices for zero-days will increase each time the number of available exploits decreases.” There will be a lot of money going around then: legitimate zero-day merchants have previously said their exploit code has sold for upwards of $500,000 in the past.

Robert Graham from Errata Security, which offers “offensive” security services,  noted Google has already been looking for zero-days in every kind of software. “I don’t think anything’s changed other than now they have a really cool name to put on the project,” Graham added.

“The most important aspect of this is how it helps Google… having a close-knit team of researchers learning from each allows each member to produce vastly more than if they were working alone. Looking at other products produces intelligence that can be used to improve Google’s own products.”

If Bekrar and Graham are right, and Project Zero doesn’t negatively affect the zero-day vulnerabilities market and the value of these bugs goes up, criminal dealers are also likely to benefit. That’s perverse.

Not that crooks dealing in zero-days are selling cheap. Just this week, the Russian hacker w0rm who attacked CNET and made off with at least a million users’ encrypted passwords sent your reporter screenshots of what appeared to be his own exploit marketplace, w0rm.in. It included the bug w0rm used in the attack on the popular tech website, affecting the Symfony Framework, tools that help developers build PHP code for websites.

According to w0rm, there are currently around 100 zero-days available for purchase on w0rm.in. The one in Symfony is going for as much as $30,000, whilst screenshots show others affecting some of the world’s biggest websites going for between $500 and $15,000 (those images won’t be shown here in case they are genuine bugs that criminals could use to steal data from those sites, though there is one shot below of the market).

Speaking in Russian, w0rm said the w0rm.in team came from an old school hacking background and have a love for freedom of information. They bring together experts to develop solutions for serious security problems, they added, whilst admitting that breaching a site’s defences was illegal in most countries on the planet.

Outside of recommending CNET start collaborating with w0rm.in to improve security on the site, which would no doubt include a hefty fee, w0rm suggested CNET start up a bounty programme to help prevent future attacks. Neither of those two things are likely to happen and one gets the feeling w0rm is being a tad disingenuous. The hacker won’t be disclosing the vulnerability in Symfony either, even though it would be a boon for internet security. Instead, he will try to make money out of it.

If only Google and its Project Zero team, or anyone for that matter, could bring an end to this kind of illicit activity. It would bring much-needed security to the world’s internet users.

 

Updates


Sponsored Update


Advertisement


More From the Web

Shopping Deals

 
 
 

<a href="/latest_stories/all/all/31" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

 

Comments

blog comments powered by Disqus

Latest stories

Taken 3 Trailer Released
Taken 3 Trailer Released
Liam Neeson is doing it again. I thought he is done with these kind of movies, but here comes the really last Taken movie. Watch the just released Taken 3 trailer. I looks awesome.
 
 
Michael Crabtree Downplays Deion Sanders' Report About Jim Harbaugh
Michael Crabtree Downplays Deion Sanders' Report About Jim Harbaugh
San Francisco 49ers wide receiver Michael Crabtree downplayed NFL Media analyst and Hall of Fame cornerback Deion Sanders' report on Sept. 28 which says Crabtree's head coach, Jim Harbaugh, "really got some problems" in terms of his locker-room chemistry with the 49ers.
 
 
Pee-Wee Herman stars in New TV on the Radio Video
Pee-Wee Herman stars in New TV on the Radio Video
The awesome band TV on the Radio released their new music video for "Happy Idiot" on Funny or Die starring Pee-Wee Herman actor. Watch the cool and funny video below.
 
 
Dwight Howard Hurt by Jeremy Lin and Chandler Parsons Departures
Dwight Howard Hurt by Jeremy Lin and Chandler Parsons Departures
Houston Rockets center Dwight Howard told KHOU 11 Sports on Sept. 27 he was hurt by the departures of former teammates Jeremy Lin, Chandler Parsons and Omer Asik.